How does Intel® Identity Protection Technology (Intel® IPT) work?

Intel IPT with multifactor authentication (MFA)

Intel IPT with MFA is a connected framework that provides the fundamental building blocks for an end-to-end, policy-based identity and access management solution that integrates well within an IT infrastructure. It will give IT more flexibility to specify the combination of hardened authentication factors used for various enterprise applications.

A firmware-based MFA engine in the client enforces policies delivered from IT. This framework allows stronger authentication than just between the user and the platform. It now authenticates the user, platform, and the network to each other.

Intel® IPT with MFA supports three use cases:

Walk Away Lock pairs your Android*-based Bluetooth* phone with your PC to ensure your enterprise data is locked down automatically should a user walk away from their PC with their phone. The PC will recognize that the Bluetooth-paired phone is out of the proximity range and lock the system down. Upon return, the PC will recognize that the Bluetooth phone is back in proximity, and rather than asking for the long domain login, a six-digit PIN prompt will come up.

Domain/OS Login allows enterprises to take advantage of hardened PKI solutions, ensuring that when users log in to the domain, their keys are encrypted and stored in hardware, rather than in software where they can more easily be exposed to malware.

VPN Login, similarly to the Domain/OS Login, provides added assurance to an enterprise that their keys used for VPN authentication are encrypted and stored in hardware, rather than in software where they can more easily be exposed to malware.

Intel IPT with one-time password (OTP)

Intel IPT strengthens network and website access with second factor authentication using OTP tokens. When a user visits a website that uses Intel IPT from an Intel IPT-enabled device, after user opt-in, the website can provision the embedded OTP token and bind it to that user’s account. The OTP token generates a single-use password that expires after just 30 seconds. Web properties of enterprises can use this OTP token in conjunction with a username and password to get strong two-factor authentication. Since this token is built right into the device hardware, it is much more convenient for users to use and cheaper for businesses to deploy and manage. It also doesn't incur per transaction charges like SMS, which can build up over large volume usage. Intel IPT with OTP is available on all PCs using 2nd generation or later Intel® Core™ processor and select Intel® Atom™ processor tablets and phones.

Intel IPT also includes PKI support built into the device hardware, where RSA key pairs and certificates are generated in the embedded security processor. This can help authenticate a user to the device via domain/OS login and the device to the network via VPN. Enterprises already using PKI can manage Intel IPT with PKI devices using Microsoft CryptoAPI*. Intel IPT with PKI provides enterprises with hardware-based security while saving on the additional cost of traditional smart cards and readers or special-order PCs. This technology is built into all 3rd generation or later Intel® vPro™ platforms.

Intel IPT with PTD can display information to the user and receive input from the user using the embedded security processor. Information displayed (e.g., PIN pad, virtual keyboard, or CAPTCHA) using PTD is designed to only be visible to a user physically present in front of the device. Users can provide input by clicking the buttons on such a PIN pad, keyboard, or other widget. Therefore, in addition to protecting user inputs, meaningful user interaction with such information helps indicate user presence. Intel IPT with PTD is available on all PCs using 3rd generation or later Intel® Core™ processor and select Intel® Atom™ processor tablets.